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Abstract. We propose a novel algorithm for automata-based LTL model check- 
ing that interleaves the construction of the generalized Biichi automaton for the 
negation of the formula and the emptiness check. Our algorithm first converts the 
LTL formula into a linear weak alternating automaton; configurations of the alter- 
nating automaton correspond to the locations of a generalized Biichi automaton, 
and a variant of Tarjan's algorithm is used to decide the existence of an accept- 
ing run of the product of the transition system and the automaton. Because we 
avoid an explicit construction of the Biichi automaton, our approach can yield 
significant improvements in runtime and memory, for large LTL formulas. The 
algorithm has been implemented within the SPIN model checker, and we present 
experimental results for some benchmark examples. 



1 Introduction 

The automata-based approach to linear-time temporal logic (LTL) model checking re- 
duces the problem of deciding whether a formula 9 holds of a transition system T 
into two subproblems: first, one constructs an automaton J?^(p that accepts precisely 
the models of -i(p. Second, one uses graph-theoretical algorithms to decide whether the 
product of T and Ji^^, admits an accepting run; this is the case if and only if (p does not 
hold of T . On-the-fly algorithms Q avoid an explicit construction of the product and 
are commonly used to decide the second problem. However, the construction of a non- 
deterministic Biichi (or generalized BUchi) automaton J?^(p is already of complexity ex- 
ponential in the length of cp, and several algorithms have been suggested II3I4I5I7I18I20I 
that improve on the classical method for computing Biichi automata ||9|- Still, there 
are applications, for example when verifying liveness properties over predicate abstrac- 
tions |i 13 1, where the construction of A^^f, takes a significant fraction of the overall ver- 
ification time. The relative cost of computing A^if, is particularly high when (p does not 
hold of T , because acceptance cycles are often found rather quickly when they exist. 

In this paper we suggest an algorithm for LTL model checking that interleaves the 
construction of (a structure equivalent to) the automaton and the test for non-emptiness. 
Technically, the input to our algorithm is a transition system and a linear weak alter- 
nating automaton (LWAA, alternatively known as a very weak alternating automaton) 
corresponding to -i(p. The size of the LWAA is linear in the length of the LTL formula, 
and the time for its generation is insignificant. It can be considered as a symbolic repre- 
sentation of the corresponding generalized Biichi automaton (GBA). LWAA have also 



been employed as an intermediate format in the algorithms suggested by Gastin and 
Oddoux Q, Fritz Jsj, and Schneider 1171 . Our main contribution is the identification of 
a class of "simple" LWAA whose acceptance criterion is defined in terms of the sets of 
locations activated during a run, rather than the standard criterion in terms of automa- 
ton transitions. To explore the product of the transition system and the configuration 
graph of the LWAA, we employ a variant of Tarjan's algorithm to search for a strongly 
connected component that satisfies the automaton's acceptance condition. 

We have implemented the proposed algorithm as an alternative verification method 
in the Spin model checker [12], and we discuss some implementation options and report 

on experimental results. Our implementation is available for download at .http : //www.pst . if i . Imu .de/pro jekte/lw; 

2 LTL and linear weak alternating automata 

We define alternating co-automata, especially LWAA, and present the translation from 
propositional linear-time temporal logic LTL to LWAA. Throughout, we assume a fixed 
finite set 1^ of atomic propositions. 

2.1 Linear weak alternating automata 

We consider automata that operate on temporal structures, i.e. co-sequences of valu- 
ations of 1^. Alternating automata combine the existential branching mode of non- 
deterministic automata (i.e., choice) with its dual, universal branching, where several 
successor locations are activated simultaneously. We present the transitions of alternat- 
ing automata by associating with every location q EQa propositional formula 5(^) over 
1^ and Q. For example, we interpret 

8(^i) = (vA^2A(^i V^3))V(-.wA^i)Vw 

as asserting that if location qi is currently active and the current input satisfies v then 
the automaton should simultaneously activate the locations q2 and either or ^3. If the 
input satisfies -iw then qi should be activated. If the input satisfies w then no successor 
locations need to be activated from qi. Otherwise (i.e., if the input satisfies -iv), the au- 
tomaton blocks because the transition formula can not be satisfied. At any point during 
a run, a set of automaton locations (a configuration) will be active, and transitions are 
required to satisfy the transition formulas of all active locations. Locations q ^ Q may 
only occur positively in transition formulas: locations cannot be inhibited. We use the 
following generic definition of alternating co-automata: 

Definition 1. An alternating co-automaton is a tuple A = {Q^qa^h^Acc) where 

- Q is a finite set (of locations) where QC\1' =%, 

- ^ Q is the initial location, 

- 5 : Q ^ '3 (QU 'P' ) is the transition function that associates a propositional formula 
d{q) with every location q £ Q; locations in Q can only occur positively in 5{q), 

- andAcc C is the acceptance condition. 




(a) Transition graph. (b) Prefix of run dag with configurations. 



Fig. 1. Visualization of alternating automata and run dags. 



When the transition formulas 5(^) are written in disjunctive normal form, the alter- 
nating automaton can be visualized as a hypergraph. For example, Fig. |l(a)| shows an 
alternating co-automaton and illustrates the above transition formula. We write q ^ q' 
if q may activate q' , i.e. if q' appears in ?>{q). 

Runs of an alternating co-automaton over a temporal structure <3 = sqs\ . . . are not 
just sequences of locations but give rise to trees, due to universal branching. However, 
different copies of the same target location can be identified, and we obtain a more 
economical dag representation as illustrated in Fig. |l(b)| the vertical "slices" of the dag 
represent configurations that are active before reading the next input state. 

We identify a set and the Boolean valuation that makes true precisely the elements 
of the set. For example, we say that the sets {\\w,q2,q3} and {w} satisfy the formula 
5(^1 ) above. For a relation r C 5 x T, we denote its domain by dom(r). We denote the 
image of a set A C 5 under r by r(A); for x G 5 we sometimes write r{x) for r{{x}). 

Definition 2. Let J? = (Q^qQ,b,Acc) be an alternating (a-automaton and O = sqsi . . ., 
where i,- <Z 1/ , be a temporal structure. A run dag of A over a is represented by the 
(it-sequence A = cqci . . . of its edges Ci <Z Q x Q. The configurations cqci . . . of A, where 
a C Q, are inductively defined by co ~ {qo} and c,+i = ei{ci). We require that for all 
i £ N, dom(e,) C c,- and that for all q G c,-, the valuation SiUej(q) satisfies 5{q). A finite 
run dag is a finite prefix of a run dag. 

A path in a run dag A is a (finite or infinite) sequence n = popi ■ ■ ■ of locations pi G Q 
such that po = qo and {pi,Pi+\) G etfor all i. A run dag A is accepting iffll G Acc holds 
for all infinite paths 7t in A. The language L{Si) is the set of words that admit some 
accepting run dag. 

Because locations do not occur negatively in transition formulas h{q), it is easy to 
see that whenever Si iJX satisfies ?>{q) for some set X of locations, then so does Si U Y 
for any superset Y of X. However, the dag resulting from replacing X hy Y will have 
more paths, making the acceptance condition harder to satisfy. It is therefore enough to 
consider only run dags that arise from minimal models of the transition formulas w.r.t. 
the states of the temporal structure, activating as few successor locations as possible. 



LWAA are alternating co-automata whose accessibility relation determines a partial 
order: (( is reachable from q only if (( is smaller or at most equal to q. We are interested 
in LWAA with a co-Biichi acceptance condition: 

Definitions. A {co-Biichi) linear weak alternating automaton Si = (Q,qQ,d,F) is a 
tuple where Q, qo, and 5 are as in Def.^and F <Z Q is a set of locations, such that 

- the relation defined by q' q iff q — >* q' is a partial order on Q and 

- the acceptance condition is given by 

Acc = {pop I • ■ ■ G 2" • Pi £ F fai" only finitely many i g N}. 

In particular, the hypergraph of the transitions of an LWAA does not contain cy- 
cles other than self-loops, and run dags of LWAA do not contain "rising edges" as 
in Fig. [2 It follows that every infinite path eventually remains stable at some loca- 
tion q, and the acceptance condition requires that q holds for that "limit location". 
LWAA characterize precisely the class of star-free co-regular languages, which corre- 
spond to first-order definable co-languages and therefore also to the languages definable 
by propositional LTL formulas (21221 ■ 

2.2 From LTL to LWAA 

Formulas of LTL (over atomic propositions in ']/') are built using the connectives of 
propositional logic and the temporal operators X (next) and U (until). They are inter- 
preted over a temporal structure o — sqSi . . . S (2'^ )" as follows; we write o|,- to denote 
the suffix SiSi+i ... of o from state i,-: 

o 1= p iff p G ^0 o ^ (p A x|/ iff a ^ cp and a ^ \|/ 

o 1= -i(p iff o^cp o^Xcp iff a|i^(p 

O 1= (p U x|/ iff for some ; e N, o]; |= \|/ and for all j < i, a\j ^ cp 

We freely use the standard derived operators of propositional logic and the following 
derived temporal connectives: 

Fcp = trueUcp (eventually cp) 

Gcp = -iF-i(p (always cp) 

(pV\(/ = -i(-i(p U (cp releases \|/) 

An LTL formula (p can be understood as defining the language 

L{if>) = {ae(2^)»:ohcp}, 

and the automata-theoretic approach to model checking builds on this identification of 
formulas and languages, via an effective construction of automata j?(p accepting the 
language L (cp). The definition of an LWAA J?^ is particularly simple 1151 : without loss 
of generality, we assume that LTL formulas are given in negation normal form (i.e., 
negation is applied only to propositions), and therefore include clauses for the dual op- 
erators V and V. The automaton is A<p — {Q,q(f,d,F) where Q contains a location ^v/ 
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Fig. 2. Translation of LTL formulas into LWAA. 



for every subformula \|/ of (p, with being the initial location. The transition formu- 
las 5(^y) are defined in Fig. |2(a)| in particular, LTL operators are simply decomposed 
according to their fixpoint characterizations. The set F of co-final locations consists of 
all locations ^yuz G Q that correspond to "until" subformulas of (p. It is easy to verify 
that the resulting automaton Si,f is an LWAA: for any locations and qy_, the defini- 
tion of 5(^y) ensures that (^y qy^ holds only if x is a subformula of \|/. Correctness 
proofs for the construction can be found in I15I23I : conversely, Rohde 1161 and Loding 
and Thomas 1141 prove that for every LWAA SL there is an LTL formula cp^^ such that 

The number of subformulas of an LTL formula (p is linear in the length of (p, and 
therefore so is the size of Sl^. However, in practice the automaton should be minimized 
further. Clearly, unreachable locations can be eliminated. Moreover, whenever there is 
a choice between activating sets X or 7 of locations where X <ZY from some location q, 
the smaller set X should be preferred, and Y should be activated only if X cannot be. As 
a simple example, we can define 5(^Fp) = P'^ {~^P p) instead of 5(^Fp) = p'^ q¥p- 

Figure |2] shows two linear weak alternating automata obtained from LTL formulas 
by applying this construction (the locations in F are indicated by double circles). 

Further minimizations are less straightforward. Because the automaton structure 
closely resembles the structure of the LTL formula, heuristics to minimize the LTL 
formula 1411 81 are important. Fritz and Wilke |6| discuss more elaborate optimizations 
based on simulation relations on the set Q of locations. 



3 Deciding language emptiness for LWAA 

In general, it is nontrivial to decide language emptiness for alternating co-automata, due 
to their intricate combinatorial structure; a configuration consists of a set of automaton 
locations that have to "synchronize" on the current input state during a transition to a 
successor configuration. The standard approach is therefore based on a translation to 
non-deterministic Buchi automata, for which emptiness can be decided in linear time. 
Unfortunately, this translation is of exponential complexity. 



Linear weak alternating automata have a simpler combinatorial structure; the tran- 
sition graph contains only trivial cycles, and therefore a run dag is non-accepting only 
if it contains a path that ends in a self-loop at some location q E F . This observation 
gives rise to the following non-emptiness criterion for LWAA, which is closely related 
to Theorem 2 of fTl: 

Theorem 4. Assume that A ~ {Q,qQ,5,F) is an LWAA. Then l{jA.) ^ if and only if 
there exists a finite run dag A = eo^i . • • e„ with configurations cqc\ . . . Cn+\ over a finite 
sequence sq. . . s„ of states and some k <n such that 

1. Ck = Cn+\ and 

2. for every q G F, one has {q,q) ^ ej for some j where k < j < n. 

Proof. "If": Consider the infinite dag A' = eo ■ ■ -^k-iiek • • en)". Because q = c„+i, it 
is obvious that A' is a run dag over a = sq.. .Sk^i {sic . . we now show that A' is 

accepting. Assume, to the contrary, that K = popi ... is some infinite path in A' such 
that Pi e F holds for infinitely many / e N. Because is an LWAA, there exists some 
m G N and some q & Q such that p, = q for all ; > m. It follows that {q,q) £ e, holds for 
all i > m, which is impossible by assumption (2) and the construction of A'. Therefore, 
A' must be accepting, and l{.a) ^0. 

"Only if": Assume that a ^ sqsi . . . G l{a ), and let A' = cqci ... be some accepting 
run dag of J4 over a. Since Q is finite. A' can contain only finitely many different 
configurations co,ci,..., and there is some configuration c C g such that c; = c for 
infinitely many / G N. Denote by /q < /i < . . . the co-sequence of indexes such that 
c/. = c. If there were some q <EF such that q G ej{q) for all j > /q (implying in particular 
that q G cj for all j > io by Def. |3 then A' would contain an infinite path ending in a 
self-loop at q, contradicting the assumption that A' is accepting. Therefore, for every 
q G F there must be some > /q such that {q,q) ^ ej^. Choosing k = io and n — i,„ — 1 
for some m such that /,„ > jq for all (finitely many) q € F,we obtain a finite run dag A 
as required. □ 

Observe that Thm.|3 requires to inspect the transitions of the dag and not just the 
configurations. In fact, a run dag may well be accepting although some location q G F 
is contained in all (or almost all) configurations. For example, consider the LWAA for 
the formula GXFp: the location q^p will be active in every run dag from the second 
configuration onward, even if the run dag is accepting. We now introduce a class of 
LWAA for which it is enough to inspect the configurations. 

Definition 5. An LWAA j? = {Q,qo,d,F) is simple if for all q £F, all q' G Q, all states 
s C 1/, and all X,Y C Q not containing q, if sUX U {q} \= ?>{q') and sUY ^ 5(^) then 
sUXUY h 

In other words, if a co-final location q can be activated from some location q' for 
some state s while it can be exited during the same transition, then q' has an alternative 
transition that avoids activating q, and this alternative transitions activates only locations 
that would anyway have been activated by the joint transitions from q and q'. For simple 
LWAA, non-emptiness can be decided on the basis of the visited configurations alone, 
without memorizing the graph structure of the run dag. 




Fig. 3. Illustration of the construction of Thm. |6l 



Theorem 6. Assume that 9i — {Q,qo,?>,F) is a simple LWAA. Then ^ if and 

only if there exists a finite run dag A = eo^l ■ • - ^n with configurations cqc\ . . .Cn+\ over 
a finite sequence sq. . .s„ of states and some k <n such that 

1. Ck = Cn+i and 

2. for every q £ F, one has q ^ Cj for some j where k < j <n. 

Proof. "If": The assumption q ^ cj and the requirement that dom(ey) C cj imply that 
ill l) ^ therefore 7^ follows using Thm.|4] 

"Only if": Assume that il (;? ) 7^ 0, obtain a finite run dag A satisfying the conditions 
of Thm. 0] and let I — n — k+1 denote the length of the loop. "Unwinding" A, we 
obtain an infinite run dag eoei . . . over the temporal structure io^i • • • whose edges are 
= ^k+{{i-k) mod/) for / > «, and similarly for the states Sj and the configurations c;. 
W.l.o.g. we assume that the dag contains no unnecessary edges, i.e. that for all e, G A, 
{q,q') & ei holds only if ^ ^ q'. 

We inductively construct an infinite run dag A' = e'^e^ . . . with configurations Cqc\ . . . 
such that c'l C c, as follows: let Cq = co and for / < k, let = e, and c^^j = c,+i. For 
i > k, assume that C; has already been defined. Let Fi denote the set of q G c'jCiF such 
that {q,q) ^ e; but q £ ei(cj), and for any q £ Ft let Q'^ denote the set of locations 
q' S c'i such that [q' ^q) G e,- and let = e,(q'). Because is simple, it follows that 
Si U {ei{q') \ {^}) ur^ ^ 5(g''), for all q£Fi and q' £ Q'^. We let e\ be obtained from the 
restriction of e, to cJ by deleting all edges {q' ,q) for q G F, and adding edges [q' ,q") for 
all q' G Q'^ and q" G Yq, for q G F,. Clearly, this ensures that cj^j G c,+i holds for the 
resulting configuration and that c^^j fl/v = 0. 

For any q G the definition of an LWAA and the assumption that q ^ Yq ensure 
that 4' holds for all ((' G Y^, as well as ^ cf for all q' ^Q'q- In particular, we 
must have q" ^ q' for all q" G and q' G Qj,' therefore ej does not contain more 
self loops than e,: for all p G 2- we have {p,p) G only if {p,p) G e;. 

Consequently, A' is an accepting infinite run dag such that for every q £ F there 
exists some j > k such that q ^ c^. It now suffices to pick some n > k satisfying the 
conditions of the theorem; such an n exists because F is finite and A' can contain only 
finitely many different configurations. □ 

Fig-E]illustrates two accepting run dags for a simple LWAA: the dag shown above 
satisfies the criterion of Thm. |3 although the co-final location corresponding to Fp 



remains active from the second configuration onward. The dag shown below is the result 
of the transformation described in the proof, and indeed the location F p is infinitely 
often inactive. 

We now show that the LWAA J?(p for an LTL formula (p is simple provided (p does 
not contain subformulas X(x U %'). Such subformulas are easily avoided because X 
distributes over U. Actually, our implementation exploits the commutativity of X with 
all LTL connectives to rewrite formulas such that no other temporal operators are in the 
scope of X; this is useful for preliminary simplifications at the formula level. Also, the 
transformations described at the end of Sect. l2.2l ensure that the LWAA remains simple. 

Theorem 7. For any LTL formula cp that does not contain any subformula X{% U x')> 
the automaton is a simple LWAA. 

Proof. Let = {Q,q^,h,F) and assume that q ^ F , q' ^ Q, and X^Y Q are as in 
Def.|5] in particular i UX U {^} |= 5(^') and^UF |= 8(^). The proof is by induction on 
\|/ where q' — q^. 

V|/ = (-i)v : 5(^') = so we must have s \= ?>{q'), and the assertion siJXiJY \= 8{q') 
follows trivially. 

\|/ = 5^ ® x'; ® G {a, V} : ?>{q') = 8(^^) (^d{q-^i), and the assertion follows easily from 

the induction hypothesis. 
\|/ = Xx : 5(^') = qy_, and by assumption x is not an U formula, so ^j, ^ F. In particular, 

q-jf^ 7^ q, and so the assumption s IJX U {q} \= ?>{q') implies that sUX \^ ™d 

the assertion sUXlJY |= 8(^') follows by monotonicity. 
\|/ = XUx' : = 5(q'x') V {b{q-j(^) Aq'). In case sUX U {q} ^ 8(^^/), the induction 

hypothesis implies iUX UF \= 5{q-^i), hence alsoiUXUF |=8(^'). 

If sUXU {q} ^ ?>{qx) /\ we consider two cases: if q = q' then slJY ^ ?>{q') 

holds by assumption. Moreover, sUX IJY \= 8(q'j,) holds by induction hypothesis, 

and the assertion follows. 

Otherwise, we must have q' G X. Again, sUXlJY \= 5(q'5^) follows from the induc- 
tion hypothesis, and since q' E X it follows that sUXlJY |= ?){qi) A q'. 
¥ = X Vx' : = ^ (Sfe) V?')- In particular, sUX U {q} \= 8(^j,/), and we 

obtain sUXUY ?){q^i) by induction hypothesis. 

If s UX U {q} 5(^),), we similarly obtain sUXUY ^ 8(<?)c)- Otherwise, note that 
q ^ q' because q G F and q' ^ F (since it is not an U formula). Therefore, we must 
have slJX ^ q\ and a fortiori sUXUY \= q\ completing the proof. □ 

Let us note in passing that simple LWAA are as expressive as LWAA, i.e. they 
also characterize the class of star-free co-regular languages: from II4II6I we know that 
for every LWAA A there is an LTL formula (p^, such that = l{a). Since X 

distributes over U, (p^ can be transformed into an equivalent formula cp' of the form 
required in Thm.0 and J?^/ is a simple LWAA accepting the same language as J?. 

4 Model checking algorithm 

We describe a model checking algorithm based on the nonemptiness criterion of Thm.|6| 
and we discuss some design decisions encountered in our implementation. The algo- 
rithm has been integrated within the LTL model checker Spin, and we present some 
results that have been obtained on benchmark examples. 



procedure visit (s, C) : 
let c = (s,C) in 

inCoiiip[c] := false; root[c] := c; labels [c] := 0; 
cnt[c] := cnt; cnt := cnt+1; seen := seen U {c}; 
push (c, stack) ; 

forall c' = (s',C') in Succ(c) do 

if c' ^ seen then Visit (s',C') end if; 
if ^inComp[c'] then 

if cnt [root [c' ] ] < cnt [root [c]] then 

labels [root [c' ] ] := labels [root [c' ] ] U labels [root [c] ] ; 
root [c] := root [c' ] 
end if; 

labels [root [c] ] := labels [root [c] ] 

U (f_lwaa \ C) ; // f_lwaa = co-final locations 
if labels [root [c] ] = f_lwaa then raise Good_Cycle end if; 
end if; 
end forall; 
if root[c]=c then 
repeat 

d := pop (stack) ; 
inComp[d] := true; 
until d=c; 
end if; 
end let; 
end Visit; 

procedure Check: 

stack := empty; seen := 0; cnt := 0; 

Visit (init_ts, {init_lwaa} ) ; // start with initial location 
end Check; 



Fig. 4. LWAA-based model checking algorithm. 



4.1 Adapting Tarjan's algoritliin 

Theorem|6lcontains the core of our model checking algorithm: given the simple LWAA 
corresponding to the negation ^cp of the property to be verified, we explore the 
product of the transition system T and the graph of configurations of ;?-,(p, search- 
ing for a strongly connected component that satisfies the acceptance condition. In fact, 
in the light of Thm. |S] a simple LWAA A can alternatively be viewed as a symbolic 
representation of a GBA whose locations are sets of locations of , and that has an 
acceptance condition per co-final location of . 

The traditional CVWY algorithm for LTL model checking based on Biichi au- 
tomata has been generalized for GBA by Tauriainen 1211 . but we find it easier to adapt 
Tarjan's algorithm fT9l for finding strongly connected components in graphs. Figure|4] 
gives a pseudo-code representation of our algorithm. The depth-first search operates 
on pairs (s,C) where i is a state of the transition system and C is a configuration of the 
LWAA. Given a pair c—{s,C), the call to Succ computes the set iucc^ {s) x iucc, {s, C) 
containing all pairs c' = (s',C') of successor states s' of the transition system and suc- 
cessor configurations C' of the LWAA, i.e. those C' which satisfy sL)C' \= 5{q) for all 
q GC. Tarjan's algorithm assigns a so-called root candidate root to each node of the 
graph, which is the oldest node on the stack known to belong to the same SCC. 



In model checking, we are not so much interested in actually computing SCCs; it is 
sufficient to verify that the acceptance criterion of Thm.|6|is met for some strongly con- 
nected subgraph (SCS). To do so, we associate a labels field with the root candidate of 
each sec that accumulates the locations q^F that have been found absent in some pair 
(s,C) contained in the SCC. Whenever labels is found to contain all co-final states of 
the LWAA (denoted by f_lwaa), the SCS must be accepting and the search is aborted. 
Note that we need to maintain two stacks: one for the depth-first search recursion, and 
one for identifying SCCs. 

If an accepting SCS is found, we also want to produce a counter-example, and Tar- 
jan's algorithm is less convenient for this purpose than the CVWY algorithm whose re- 
cursion stack contains the counter-example once a cycle has been detected. In our case, 
neither the recursion stack nor the SCC stack represent a complete counter-example. 
A counter-example can still be obtained by traversing the nodes of an accepting SCS 
that have akeady been visited, without re-considering the transition system. We add 
two pointers to our node representation in the SCC stack, representing "backward" and 
"forward" links that point to the pair from which the current node was reached and to 
the oldest pair on the stack that is a successor of the current pair. Indeed, one can show 
that the subgraph of nodes on the SCC stack with neighborhood relation 

{(c,c') ; c ~ forward{c) or c = backward[c')} 

also forms an SCS of the product graph. A counter-example can now be produced by 
enforcing a visit to all the pairs that satisfy some acceptance condition. 

4.2 Computation of successor configurations 

The efficient generation of successor configurations in iMccq {s,C) is a crucial part of 
our algorithm. Given a configuration C C g of the LWAA and a state s of the transition 
system (which we identify with a valuation of the propositional variables), we need to 
compute the set of all C' such that .? UC' |= 8(^) holds for all q EC. Moreover, we are 
mainly interested in finding minimal successor configurations. 

An elegant approach towards computing successor configurations makes use of 
BDDs [l]. In fact, the transitions of an LWAA can be represented by a single BDD. 
The set of minimal successor configurations is obtained by conjoining this BDD with 
the BDD representations of the state s and the source configuration C, and then ex- 
tracting the set of all satisfying valuations of the resulting BDD. Some experimentation 
convinced us, however, that the resulting BDDs become too big for large LTL formulas. 
Alternatively, one can store BDDs representing 5{q) for each location q and form the 
conjunction of all 5(^) for q EC. Again, this approach turned out to consume too much 
memory. 

We finally resorted to using BDDs only as a representation of configurations. To do 
so, we examine the hyperedges of the transition graph of the LWAA, which correspond 
to the clauses of the disjunctive normal form of 5(^). For every location q E C, ws 
compute the disjunction of its enabled transitions, and then take the conjunction over 
all locations in C. We thus obtain 

succAs,C) = /\ ( V it\^)) 

q&C teeriabled{s,q) 



as the BDD representing the set of successor configurations, where enabled{s,q) de- 
notes the set of enabled transitions of q for state s, i.e. those transitions t for which 
sUQ ^ f . Ahhough this requires pre-computing a potentially exponentially large set of 
transitions, this approach appears to be fastest for BDD-based calculation of successor 
nodes. 

We compare this approach to a direct calculation of successor configurations that 
stores them as a sorted list, which is pruned to remove non-minimal successors. Al- 
though the pruning step is of quadratic complexity in our implementation (it could be 
improved to (9(«log«) time), experiments showed that it pays off handsomely because 
fewer nodes need to be explored in the graph search. 

4.3 Adapting Spin 

Either approach to computing successors works best if we can efficiently determine 
the set of enabled transitions of an LWAA location. One way to do this is to generate 
C source code for a given LWAA and then use the CPU arithmetics. The Spin model 
checker employs a similar approach, albeit for Biichi automata, and this is one of rea- 
sons why we adapted it to use our algorithm. 

Spin L10«12L is generally considered as one of the fastest and most complete tools 
for protocol verification. For a given model (written in Promela) and Biichi automa- 
ton (called "never-claim"), it generates C sources that are then compiled to produce a 
model-specific model checker. Spin also includes a translation from LTL formulas to 
Biichi automata, but for our comparisons we used the LTL2ba tool due to Gastin and 
Oddoux f7], which is faster by orders of magnitude for large LTL formulas. 

Our adaptation, called LwaaSpin, adds the generation of LWAA to Spin, and mod- 
ifies the code generation to use Tarjan's algorithm and on-the-fly calculation of succes- 
sor configurations. This involved about 150 code changes, and added about 2600 lines 
of code. Spin includes elaborate optimizations, such as partial-order reduction, that 
are independent of the use of non-deterministic or alternating automata and that can 
therefore be used with our implementation as well. We have not yet adapted Spin's 
optimizations of memory usage such as bitstate hashing to our algorithm, although we 
see no obstacle in principle to do so. 

4.4 Experimental results 

Geldenhuys and Valmari ||8| have recently proposed to use Tarjan's algorithm, but for 
non-deterministic Biichi automata, and we have implemented their algorithm for com- 
parison. We have not been able to reproduce their results indicating that Tarjan's al- 
gorithm outperforms the CVWY algorithm on nondeterministic Biichi automata (their 
paper does not indicate which implementation of CVWY was used). In our experiments, 
both algorithms perform head-to-head on most examples. We now describe the results 
for the implementation based on LWAA. 

For most examples, the search for an accepting SCS in the product graph is slower 
than the runtime of the model checker produced by Spin after LTL2ba has generated 
the Biichi automaton. However, our algorithm can be considerably faster than gener- 
ating the Biichi automaton and then checking the emptiness of the product automaton, 



for large LTL formulas. However, note that both Spin and our implementation use 
unguided search, and we can thus not exactly compare single instances of satisfiable 
problems. 

Large LTL formulas are not as common as one might expect. Spin's implementation 
of the C VWY algorithm can handle weak fairness of processes directly; such conditions 
do not have to be added to the LTL formula to be verified. We present two simple and 
scalable examples: the dining philosophers problem and a binary semaphore protocol. 

For the dining philosophers example, we want to verify that if every philosopher 
holds exactly one fork infinitely often, then philosopher 1 will eventually eat: 

G¥hasForki A . . . AGF hasFork„ => GFeaf i 

The model dinphil« denotes the situation where all n philosophers start with their 
right-hand fork, which may lead to a deadlock. The model dinphil«i avoids the dead- 
lock by letting the «-th philosopher start with his left-hand fork. 

For the binary semaphore example we claim that if strong fairness is ensured for 
each process, all processes will eventually have been in their critical section: 

{G¥canenteri ^ GFenteri) A ... A {G¥ canenter„ =^ G¥enter„) => ¥ allcrit 

By sfgoodn, we denote a constellation with n processes and strong fairness as- 
sumed for each of them, while sfbadn denotes the same constellation, except with 
weak fairness for process pn, which will allow the process to starve. 

Table[2contains timings (in seconds) for the different steps of the verification pro- 
cess for Spin 4. LI and for our LwaaSpin implementation. Spin requires successive 
invocations of ltl2ba, spin, gcc and pan; LWAASPIN combines the first two stages. 
The times were measured on an Intel Pentium® 4, 3.0 GHz computer with 1GB main 
memory running Linux and without other significant process activity. Entries "o.o.t." 
indicate that the computation did not finish within 2 hours, while "o.o.m." means "out 
of memory". 

We can see that most of the time required by SPIN is spent on preparing the pan 
model checker, either by calculating the non-deterministic Biichi automata for the din- 
ing philosophers, or by handling the large automata sources for the binary semaphore 
example. LwaaSpin significantly reduces the time taken for pre-processing. 

The sizes of the generated automata are indicated in Tab. |2] "States seen" denotes 
the number of distinct states (of the product automaton) encountered by LwaaSpin 
using the direct successor configuration calculation approach. It should be noted that 
the Biichi automata for the dining philosophers example are very small compared to 
the size of the formula, and are in fact linear; even for the dinphillOi case, the au- 
tomaton contains only 12 locations. This is not true for the semaphore example: the 
Biichi automaton for sf good? contains 3025 locations and 23391 transitions. Still, one 
advantage of using LTL2ba is that a Biichi automaton that has been computed once 
can be stored and reused; this could reduce the overall verification time for the dining 
philosophers example where the same formula is used for both the valid and the invalid 
model. 

We can draw two conclusions from our data: first, the preprocessing by Iwaaspin 
uses very little time because we do not have to calculate the Biichi automaton (although 



Problem 


Counter- 
example 


Spin 


LwaaSpin 


ltl2ba 


spin 


gcc 


pan 


Iwaaspin 


gcc 


pan 


dinphil6 


yes 


0.431 


0.019 


0.601 


0.079 


0.019 


0.579 


0.163 


dinphilS 


yes 


35.946 


0.02 


0.671 


0.133 


0.027 


0.818 


0.166 


dinphillO 


yes 


3611.724 


0.025 


0.767 


1.642 


0.057 


1.899 


0.170 


dinphill2 


yes 


o.o.t. 








0.141 


6.644 


0.206 


dinphill4 


yes 










0.499 


28.082 


0.431 


dinphill5 


yes 










0.972 


o.o.m. 




dinphil6i 


no 


0.431 


0.024 


0.639 


0.244 


0.020 


0.616 


0.569 


dinphilSi 


no 


35.946 


0.021 


0.711 


7.309 


0.028 


0.861 


20.177 


dinphillOi 


no 


3611.724 


0.025 


0.807 


722.874 


0.070 


2.623 


623.760 


dinphill li 


no 


o.o.t. 








0.099 


3.438 


o.o.m. 


sfbad6 


yes 


1.904 


0.912 


7.284 


0.025 


0.066 


2.211 


1.312 


sfbad? 


yes 


27.674 


42.525 


o.o.m. 




0.179 


7.423 


7.848 


sfbadS 


yes 










0.784 


43.472 


7.000 


sfbad9 


yes 










2.627 


o.o.m. 




sfgood6 


no 


2.292 


17.329 


27.608 


2.193 


0.064 


2.227 


2.540 


sfgoodT 


no 


36.306 


417.485 


o.o.m. 




0.357 


8.214 


15.940 


sfgoodS 


no 










0.718 


42.688 


140.130 


sfgood9 


no 










2.634 


o.o.m. 





Table 1. Comparison of Spin and LwaaSpin (BDD-less successor calculation) 



Problem 


Successor calculation 


LWAA 


BUchi 


States 
seen 


BDD 


direct 


Locations 


Transitions 


Locations 


Transitions 


dinphil6 


0.834 


0.761 


10 


207 


8 


36 


105 


dinphil8 


1.194 


1.011 


12 


787 


10 


55 


119 


dinphillO 


2.803 


2.126 


14 


3095 


12 


78 


133 


dinphil6i 


1.291 


1.205 


10 


207 


8 


36 


46165 


dinphil8i 


21.802 


21.021 


12 


787 


10 


55 


1.2 ■ lO*" 


dinphillOi 


643.006 


626.453 


14 


3095 


12 


78 


1.5 ■ 10' 


sfbad6 


16.664 


3.589 


26 


4140 


252 


1757 


137882 


sfbad7 


354.874 


15.461 


30 


16435 


1292 


8252 


597686 


sfgood6 


32.261 


4.831 


26 


4139 


972 


5872 


221497 


sfgood7 


115.539 


24.511 


30 


16434 


3025 


23391 


872589 



Table 2. Comparison of successor calculation, and sizes of the automata. 



strictly speaking our implementation is also exponential because it transforms the tran- 
sition formulas into disjunctive normal form). This makes up for the usually inferior 
performance of our pan version. It also means that we can at least start a model check- 
ing run, even for very large LTL formulas, in the hope of finding a counter-example. 
Second, we can check larger LTL formulas. Ultimately, we encounter the same diffi- 
culties as Spin during both the gcc and the pan phases; after all, we are confronted 
with a PSPACE-complete problem. The pre-processing phase could be further reduced 
by avoiding the generation of an exponential number of transitions in the C sources. 



postponing more work to the pan executable. Besides, the bitstate hashing technique as 
implemented in Spin II II could also be applied to Tarjan's algorithm. 

Table |2] also compares the two approaches to computing successor configurations 
described in Sect. 14.21 The BDD-based approach appears to be less predictable and 
never outperforms the direct computation, but further experience is necessary to better 
understand the tradeoff. 

5 Conclusion and further work 

We have presented a novel algorithm for the classical problem of LTL model checking. 
It uses an LWAA encoding of the LTL property as a symbolic representation of the 
corresponding GBA, which is effectively generated on the fly during the state space 
search, and never has to be stored explicitly. By adapting the Spin model checker to 
our approach, we validate that, for large LTL formulas, the time gained by avoiding the 
expensive construction of a non-deterministic Biichi automaton more than makes up for 
the runtime penalty due to the implicit GBA generation during model checking, and this 
advantage does not appear to be offset by the simplifications applied to the intermediate 
automata by algorithms such as LTL2ba. However, we do not yet really understand the 
relationship between minimizations at the automaton level and the local optimizations 
applied in our search. 

We beUeve that our approach opens the way to verifying large LTL formulas by 
model checking. Further work should investigate the possibilities that arise from this 
opportunity, such as improving techniques for software model checking based on pred- 
icate abstraction. Also, our implementation still leaves room for performance improve- 
ments. In particular, the LWAA should be further minimized, the representation of tran- 
sitions could be reconsidered, and the memory requirements could be reduced by clever 
coding techniques. 
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